: Register Panorama with the ZTP Service for New Deployments
Focus
Focus

Register Panorama with the ZTP Service for New Deployments

Table of Contents

Register Panorama with the ZTP Service for New Deployments

Register the Panorama™ management server with the ZTP service for new ZTP deployments.
After you install the ZTP plugin on the Panorama™ management server, you must register the Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process for ZTP new deployment, automatically generate the device group and template configurations required to connect your ZTP firewalls to the ZTP service. After the device group and template are automatically generated, you must add your ZTP firewalls to the device group and template so they can connect to the ZTP service after they first connect to Panorama.
  1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
  2. Associate your Panorama with the ZTP Service on the Palo Alto Networks Customer Support Portal (CSP).
    The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
    1. Select
      Assets
      ZTP Service
      and
      Associate Panorama(s)
      .
    2. Select the serial number of the Panorama managing your ZTP firewalls.
    3. (
      HA only
      ) Select the serial number of the Panorama HA peer.
    4. Click
      OK
      .
  3. Select
    Panorama
    Zero Touch Provisioning
    Setup
    and edit the
    General
    ZTP settings.
  4. Register Panorama with the ZTP service.
    1. Enable ZTP Service
      .
    2. Enter the
      Panorama FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.
      (
      All ZTP-enabled managed firewalls
      ) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    3. (
      HA only
      ) Enter the
      Peer FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.
      (
      All ZTP-enabled managed firewalls
      ) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    4. Click
      OK
      to save your configuration changes.
  5. Create the default device group and template to automatically generate the required configuration to connect your ZTP firewalls to Panorama.
    Adding the device group and template automatically generates a new device group and template that contain the default configuration to connect the Panorama and the ZTP firewalls.
    Palo Alto Networks recommends giving the ZTP device group and template a descriptive name that makes their purpose clear. Unintentionally modifying the default ZTP configuration results in connectivity issues if you want to re-use the device group and template to onboard new ZTP firewalls in the future.
    1. Add Device Group and Template
      .
    2. Enter the
      Device Group
      name.
    3. Enter the
      Template
      name.
    4. Click
      OK
      to save your configuration changes.
  6. Modify the ZTP device group, templates, and template stack as needed.
    Moving a ZTP firewall to a different device group or template stack is not supported. You must keep the ZTP firewalls in the ZTP device group and template stack that includes the ZTP template that were created. This is required for the firewall to maintain connectivity with Panorama and prevent any unintended configuration reverts on the firewall.
    When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.
    If modifying the ZTP device group and template used to onboard the ZTP firewall, be careful to not modify any of the ZTP configuration that was automatically populated when you created the device group and template in the previous step. This includes configurations like the Panorama IP address, virtual router, the
    ethernet1/1
    interface, Security zone of the
    ethernet1/1
    interface, the
    loopback.900
    loopback interface, the
    rule1
    Security policy rule,
    ztp-nat
    NAT policy rule, and the service route. These configurations are required to connect your ZTP firewall to Panorama and can lead to connectivity issues if modified.
  7. Select
    Commit
    and
    Commit to Panorama
  8. Sync to ZTP Service
    and verify that the Panorama Sync Status displays as
    In Sync
    .

Recommended For You